Posted
by
Zonk
on Friday July 22, 2005 @04:45PM
from the watch-the-shadows dept.

An anonymous reader writes "Whitedust is running a interesting article on Tor, The Onion Router project sponsored by the EFF. Tor aims to offer anonymous internet use. Once sponsored by the Naval Research Lab with support from DARPA, it is now managed by The Free Haven Project. Although Tor claims to improve safety and security, the article goes into detail on how Tor can be used as a anonymous attack platform."

It's the "Yin and Yang", or the 'Yin-Yang' as I understand it-- two opposite pieces of the same energy, both integral and complementary to each other. They cannot be removed from the whole, or the whole is destroyed.

Using the word 'or' actually distorts the original meaning-- 'or' imply two different pieces, the Yin OR Yang-- with we're really talking about one thing.

Yes, this sounds pedantic, but I think it's actually an important difference.

Yin and Yang are opposites. They are two separate concepts that, together, balance one another out. If one or the other is too out of balance, you see problems, according to the theory.

But the fact that yin or yang energy can be out of balance would indicate they are, in fact, two different things. Look at Chinese medicine, some substances are considered to have a strong 'yin' value, others to be primarily 'yang'.

The parent post is entirely correct. It is Yin and Yang. Yin contains the seed of Yang. Yang contains the seed of Yin. The Tao is inseparable. To do so is a misrepresentation and would therefore not be the true Tao.

I don't know if the grandparent is Scandinavian and was trying to point out what I am about to: There are two spellings for the name. Tor and Thor. I have a friend named Tor, my own name is Thor and we both pronounce our first names in the same way [thj.no] (IPA).

The general sloppiness here drives me crazy. I'd be happy for a decent/. alternative, but it is unique in it's category.

It's not like the stories are expedited from submission to posting.. the editors here get paid money, and for that they should strive towards something better and more respectable. How hard would it be to spell-check submissions? Not hard at all.

And there's fundamentally a difference between fat-fingering "the" (which should get caught) and not knowing enough to spot "yin-yang". Perhaps

This just tells us what we already knew--online forums and chat mechanisms and other similar technologies should always be designed to require registration.

IRC is a relic from the ancient design museum, a reminder that once, when the internet was young, everyone who could run a server on the 'net could be trusted. SMTP is the same way, along with a number of other fossilized protocols. These protocols, if they are to continue to be useful in the new age of IP spoofing, dynamic IPs, and wormhole routing, need to be redesigned with a modicum of security built into them.

Most people aren't willing to create an account with their real email address to post crapfloods. The few who do can be easily banned by email address.

I know, I know, I'm posting on the world's biggest counterexample for my opinion. Such is life.

One of my 8 yahoo ones, or one of my 10 gmail accounts, or my 4 hotmail accounts or the mailinator account I'm about to make up for the next online form I come across that requires a 'valid email address'?

Or do you mean the 'real' email address that belongs to one of the more obscure web-based email services?

Real authentication is impractical in large numbers; this is why it has never been implemented. It barely worked when you sent a photo copy of your drivers' license in to your local BBS; but now, in t

The point is that an extra layer of authentication makes it harder. Nothing makes it impossible, but at some point, it becomes hard enough that most people planning to do stupid things (crapfloods, spam, trolls, etc.) won't bother unless they're making a lot of money doing it.

You are forgetting about the @sshole factor.There are WAY to many people out there that just LOVE to hassle,start trouble,And generally be an @sshole.
It doesn't matter how hard you make it,If someone can use it to make someone elses life miserable they WILL find a way.

Literary authors in the past authored quite a few creations under artistic names. It's especially nice to use names like sillybilly on slashdot, where you can let it go and voice your opinions and abuse your right to freedom of expression to the limit, without having to fear someone disliking a single sentence of yours and hunting you down for it. I mean it's not impossible, nothing's impossible, but it adds an extra fence, extra layer of safety. I don't think I'd like to know everyone's real names here, be

I like this nickname, because it has so many sides. First, it's cute, immature, happy, childish. Childish is someone who is overly honest to the point of innocence and hasn't lost the ability to still wonder at a top spinning, a magnet pushing another one apart, or be like a baby dazzled by the colors and textures spinning before his eyes.
2nd, I tend to get overly serious and grandiose sometimes, and then all you have to do is look at the name, to come back to your senses. Imagine bugs bunny telling you th

My post was meant to be humorous.You see, I was criticizing you for using a ridiculous nickname, when my own nickname is just as ridiculous.To make this clear, I signed my post, which I normally never do.Intentional hypocracy is supposed to be funny here on Slashdot, and, occasionally, elsewhere.It's like those posts that begin "Your a moron.", which is a kind of joke because the intentionally mis-spelled "You're" is showing that the person who stated "Your a moron." is also a moron.(A similar situation is

on our irc channel we had a problem with a single jerk who always used a different nickname. so the channel was set to require a nickserv registered nick. didn't stop him. he registered his 20+ nicks and continued to annoy us.

Actually, it's also being used by security professionals and pen-testers for legitimate testing and assessment. There's currently a discussion regarding TOR for pen-testing purposes on the SecurityFocus pen-test mailing list. See http://securityfocus.com/archive/101/406238/30/0/t hreaded [securityfocus.com].

Just because the kiddies are using it doesn't minimize the usefulness of the protocol. Bitorrent, P2P, and other protocols face the same abuse issu

For a society to be free, it MUST be possible for people to do things that are against the law. That's just how it works. If people do something illegal then you can punish them, but only an extremely facist government could hope to prevent crimes before they occur.

For a society to be free, it MUST be possible for people to do things that are against the law. That's just how it works. If people do something illegal then you can punish them, but only an extremely facist government could hope to prevent crimes before they occur.

But you don't just want a free society, you want a just society. When people can commit crimes anonymously, there is no punishment.

So avoid facism, but retain your ability to punish those to actually do break the law.

Seriously. I've recently started a website that has an online forum (what, you were expecting a link? I'm not eager for a/.'ing) after a schism with another online forum, and I've gotten wave after wave of trolls coming over and wrecking the place.

I had most of them banned, and the ones with static IP addresses banned by the IP, and then one of them brilliantly discovered the use of proxies and anonymous surfing sites (it was brilliant for a bunch of trolls, atleast), and I was back at square one.

The Problem is with People. And the problem is so prolific on the internet because you can do things on the internet that in real life would get the crap beaten out of you. After all, if you walked into a bar and started calling everyone in it faggots, you'd probably wind up with a cracked skull.

You need to distinguish between someone who provides unpleasant information and someone who engages in physical assault. Calling people names is not grounds for cracking skulls or any such response. "Sticks and st

The negative to anonymity is that immature or socially maladjusted individuals can destroy the signal to noise ratio in a forum with impunity. The criteria you are "distinguishing" by isn't even relevent in the example shown. The hypothetical tool crying faggot to everyone is not providing unpleasant information. He is purposefully inciting the people around him. Mr. Tool is abusing his freedom of expression and in the non-anonymous setting a variety of social pre

"But you don't just want a free society, you want a just society."No we want a free society. People have been fighting for freedom throughout the ages.
Most people here in the US have relatives who died giving us this freedom.

You want justice at the expense of freedom, go live somewhere else - like a police state, with ID cards, where the authorities have a right to search anyone and sieze anything.
Where they can identify suspected dissenters by tracking their reading materi

If you don't want to be swallowed whole by your government, like in China, you have to be able to have the ability to remain 100% anonymous, no exceptions. Because the moment you give anyone the power to remove the cloak of anonymity, you destroy anonymity from tyrants completely.

I find arguments against online anonymity to be silly, usually taking two tracks:

Do you support the death penalty for other mentally-ill people too? Paedophiles are seriously sick individuals and the system treating them just as common criminals is why there is so much tragedy caused by them. Deal with them in the same way as the criminally-insane, namely sectioned away from those they are a danger too.

Absolutely! Those fascist laws against my killing someone who is just asking for it should be abolished! The government is infringing on my right to bitch-slap anybody that pisses me off!

While I agree that fewer laws would be better for society, I can't agree with your statement that "it MUST be possible for people to do things that are against the law". If people do things that harm other people, they should be punished in proportion to the harm done and the probability of getting caught. If nobody is harm

"but only an extremely facist government could hope to prevent crimes before they occur."

And I quote:"So we had to make a shift in the way we thought about things. So being reactive, waiting for a crime to be committed or waiting for there to be evidence of the commission of a crime, didn't seem to us to be an appropriate way to protect the American people." - John Ashcroft; June 5th, 2003 [pbs.org]

They shouldn't have had the power to arrest him, no. The very thought that 99.9% of the population of the world thinks that "intending to commit a crime" should be a crime is chilling.
They can still prevent him from doing so by killing him and then going to jail for it. As long as no government resources are involved, what's the problem?

Let's all demonize useful technology before it gets out of the gate! Next year we can all mourn the loss of Sourceforge when it's 'determined' to be a repository for terrorist software development. Oh god, won't somebody help me off of this slippery slope?!

Yeah, it's a logical fallacy, whop de doo, you know the name of some arguement technique agreed upon by ivory towered professors. It's still a valid to use in a debate considering that emperically it has a very high chance of being true to a small or large degree.

Pointing out that Bush was a C student cokehead is an ad homiem attack, yet it's a perfectly reasonable point about his competency given that he's the President.

The real problem is with the tor nodes who give unrestricted access. If you're running a node in order for people to be able to browser the web anonymously, then WHY WOULD YOU ALLOW TRAFFIC TO PORT 22 OR 6667?

Most tor nodes don't restrict traffic, and are irresponsible. Don't belive me? Check it out for yourself:

Extending that argument a bit --
Give people in government anonymity and of course they are going to do bad things with it -- especially when you toss in righteousness and a paycheck. Did you notice the House (USA) just extended the Patriot Act, giving anonymous people a paycheck to watch my web traffic in case I do something bad. Shouldn't we thwart such abuse?against such abuse? Shouldn't the billions whose web traffic is so heavily filtered they don't even know we're having this discussion be invite

Tor is a good idea, and maybe even a step in the right direction, but it is by no means a "solution" for true Net anonymity and/or privacy. In fact, it is a better tool for attack anonymity than it is for privacy.

Call me paranoid, but I don't trust anyone other than the intended recipient to decrypt any sensitive data. The way I understand the program to work (correct me if I'm wrong) is that a "trusted" server on the end decrypts your packets and acts as the "proxy" between the tor network and the Inte

You can tell tor what type of nodes to connect to, you don't have to just use "trusted nodes." It comes OOTB like that, but all it takes is a quick edit.

If you are sending unencrypted traffic over tor and you really have a need for anonymity you are stoopid anyway and you will die. If you are doing something that could cost you your freedom you need more than one layer - and tor, no matter how big the onion, is still just one layer.

You're misunderstanding the protocol. The purpose is to anonymize connections versus content.

An example scenario: a US intelligence agent may need to contact an agency server from within a foriegn country. Anyone sniffing packets would notice that a user is connecting to a server at www.someagency.mil, even if the content itself was encrypted. Tor anonymizes the connection, as the agent now connects to one of any number of Tor nodes. Tor uses encryption to protect route and address information, not conte

The way I understand the program to work (correct me if I'm wrong) is that a "trusted" server on the end decrypts your packets and acts as the "proxy" between the tor network and the Internet.

1) You don't have to use any particular node or nodes as "trusted". There is no centralization in architecture, only in default configuration.2) The trusted node can be the intended recipient.3) You should be using encryption anyway if you care about protecting your data.

You have got to be kidding me. I can barely use Tor to surf for porn at work, its so damn slow. IRC? Ya, it crawls too. This is using US tor servers too - good luck if one of the routers in the route is in some high speed country like bangladesh. Tor is a great idea maybe, but as it stands right now is so slow its not even funny.

A> It is the proxy TOR that is sprouting attack packets. Not the TOR network itself. TOR is a carrier, AND a emitter of attack launch platform. You talk only of a stopping the carrier network which is usually beyond your reach.

B> Quake will works through TOR using port redirector and a IP tunnel that works perfectly fine across UDP/TCP boundary. (although why would ANY serious gamer want to do this)

I live in the USA, and I use it all the time at my high school. Why? My high school thinks it prudent to block many sites such as hackaday.com and coxandorkum.com. I also used it when I was in china to bypass the great firewall to check my evil capitalist college email.

I think that if anyone is being blocked from visitng any site, anywhere, they should use this to show how stupid and ineffective filters are, especially in schools. Why bother to educate responsibility on the internet when you can force it on kids!

There's only two types of people that would bother with annonymous internet usage... those doing something they fear might get them in trouble, and those that fear being monitored regardless if they're doing anything bad or not... either way, annonymous internet usage is somewhat a product of fear.

Not saying there's anything wrong with acting on fear, but it can't be healthy to live always fearing "Oh no they might see me reading/." or whatnot.

as much as some people might call that flamebate.. its still basically 100% accurate...

theres always the third group who "likes to be different" and test the boundaries of the law... but that group isnt really big enough to count....

it does suck though to live in land where the freedom was paid for with more deaths than id want to count... yet - where everyones getting the opinion that its ok to have some freedoms taken away if it makes you safer... which is basicallyk why people dont fuss about the litt

I gotta wonder where the hue and cry would be if the government was cracking down on Tor instead of a fellow network admin.

Having said that, there are any number of legitimate reasons for using this technology, many of which have already been noted on here. Let's take a slightly different look at things:

There's only two types of people that would bother with annonymous internet usage... those doing something they fear might get them in trouble, and those that fear being monitored regardless if they're

there could be a situation someday where even you and your loved ones had something to fear from people knowing what you were reading and expressing, as well as knowing with whom you interacted. that fear could be real and major, not imagined and insignificant.

and you're right, living in fear isn't healthy. but the world is full of massive amounts of oppression and suffering and it is difficult for some to not live in fear every day.

so, while the geeks of the world have privilege and resources and inher

Any technology that empowers people can be used both for good and bad. Fire, knives, cars, gas, etc. Tor is not something that's likely to cause an end to the world, there are a lot more potent things to worry about.

Not much you can do about it. Encryption, anonymous remailers, proxies, all can be used for good and bad purposes. So can speech, religion, press, arms, etc.

Either we stand up to our responsibilities as adults and advanced and civilized people with a sense of honor, propriety, and duty, and chase criminals and terrorists while playing by the traditions, rules, regulations, and laws... or we dispense with our rights, liberties, and privileges in the name of safety and prevention of infractions.

"tell me exactly what is the point of this tech if not the be bad with it.."

What is it good for? To surf the net anonymously. If you live in China, or soon in the EU, that can be a problem. The upcoming EU laws on data retention means that your ISP will keep track of what web pages you request, probably by forcing the customer to go through a central proxy. Some suggest that the ISPs should be allowed to use this information for commercial purposes to help offset their added costs. Now there's something

Complete accountability is wonderful in theory, but problematic in practice. First, even theoretically, it can only work if everyone is held accountable. If you're accountable to the police, but the police are not accountable to the people they serve, then anonymity might be required in order to report corruption and whatnot.

Now let's move on to practice. Say you want to do something pretty much harmless, but frowned upon by society at large, like lighting up a joint, having sex with your girlfr

Tor is completely open-source and peer-reviewed. The protocol is documented, and there is already at least one third-party implementation (JAP) that can access the same network. You really think it has evil Government spyware in it? Give me a break.